Medium severity5.4NVD Advisory· Published Jan 9, 2026· Updated Apr 15, 2026

CVE-2025-14718

Description

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators.

Affected products

WordPress/Post Expiratorinferred
Range: <=4.9.3
Package: https://wordpress.org/plugins/post-expirator
Publishpress/Publishpress Futurellm-fuzzy
Range: <=4.9.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/8198d81a-40c0-49c1-8c38-f5ef6fb911adnvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000